The Intercept might have unwittingly helped unmask Reality Winner, a government contractor who allegedly leaked a NSA document about Russian hacking to the news outlet.
On 5 June, The Intercept published a “Top Secret” National Security Agency (NSA) document detailing Russian efforts to interfere in the 2016 U.S. presidential election.
“Provided anonymously to The Intercept and independently authenticated,” the report reveals that Russian military intelligence conducted a digital attack campaign against a U.S. voting software supplier and sent spear-phishing emails to 100 local election officials.
These actions appear to support the view that Russia meddled in the election beyond having hacked the Democratic National Committee, an incident which EVERYONE (We’re looking at you, Mr. President.) finally agrees involved Russian military activity.
Later that same day, the Justice Department published an “Affidavit in Support of Application for Arrest Warrant” against Reality Leigh Winner. A 25-year-old government contractor with Pluribus International Corporation, Winner was arrested by the FBI in early June on the suspicion that she “willfully retained and transmitted classified national defense information to a person not entitled to receive it in violation of 18 U.S.C. § 793(e).”
The affidavit doesn’t mention any names, but it’s clear it’s accusing Winner of having leaked the NSA report to The Intercept.
As FBI Special Agent Justin Garrick explains in the affidavit:
“On or about May 9, 2017, WINNER printed and improperly removed classified intelligence reporting, which contained classified national defense information and was dated on or about May 5, 2017 (the ‘intelligence reporting’) from an Intelligence Community Agency (the ‘U.S. Government Agency’) and unlawfully retained it. Approximately a few days later, WINNER then unlawfully transmitted the intelligence reporting to an online news outlet (the ‘News Outlet’).”
How did Winner get caught? Well, it looks like the “News Outlet” had something to do with it.
According to Garrick’s affidavit, The Intercept reached out to the NSA on 1 June 2017 about publishing the document in an upcoming story. As part of the correspondence that ensued, the news outlet sent the NSA the report. An analysis of the document revealed that some of the pages had been folded or creased, suggesting that someone had printed it and carried it out of a secure facility.
The NSA subsequently determined that six individuals had printed the document. How? The intelligence agency logs its print jobs. Most newer printers leave patterns of nearly invisible yellow dots on the documents they print, so it’s possible to trace something like a Top Secret report to a print job.
(For more information about how the NSA might have traced the leaked document, read security expert Robert Graham’s write-up here.)
An internal audit yielded evidence that Winner had communicated with The Intercept. Garrick subsequently spoke with Winner at her home on 3 June 2017 about the leak, at which point in the time the contractor admitted to having stolen the document knowing full well that “the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation.”
It appears The Intercept did no one any favors in publishing the report and sending a copy of it to the NSA. On the one hand, it probably sought to protect Winner as its source. But the document did originate from the NSA, after all. It’s a bit short-sighted of the The Intercept’s staff (and Winner, of course!) to think the NSA doesn’t have means of tracking its Top Secret reports.
On the other hand, The Intercept might have thought it was serving the public interest by publishing the report. But government agencies like the NSA classify information for a reason (not always a good one, but a reason nonetheless). This fact doesn’t even include the myriad of investigations that are examining Russian interference in the 2016 presidential elections. A leak like this could very well have some bearing on the outcome of at least some of those investigations.
No one “won” from this leak. At a bare minimum, it caused lots of headaches in the intelligence community, and it may have changed the life of one young woman forever.
For more discussion on this case, check out this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Thank you to Iovation for sponsoring this episode of Smashing Security. Iovation is a company that creates authentication and fraud prevention solutions.
It helps to secure businesses while making it simple for users to log into their favorite apps and services.
Iovation is offering Smashing Security listeners a free demo of its newest product, LaunchKey.
Visit demos.launchkey.com for your free demo, and thanks to Iovation for supporting the show.
It helps to secure businesses while making it simple for users to log into their favorite apps and services.
Iovation is offering Smashing Security listeners a free demo of its newest product, LaunchKey.
Visit demos.launchkey.com for your free demo, and thanks to Iovation for supporting the show.
Smashing Security, Episode 24: Reality Winner, Gordon Ramsay and a Leaky Bucket with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 24 of Smashing Security for the 8th of June, 2017. My name is Graham Cluley, and I'm joined as ever by my buddy and co-host, Carole Theriault.
Hello, Carole, how are you?
Hello, Carole, how are you?
Hi. Why did you say my name so weirdly?
Well, it is a weird name. I mean, it's not just weirdly spelt, it is pronounced pretty strangely, isn't it?
I think most people, if they knew how you spell Theriault, would be somewhat surprised.
I think most people, if they knew how you spell Theriault, would be somewhat surprised.
Yeah. Well, I think with the way you've just pronounced it, they would.
Yeah.
That was a splendid pronunciation. That was almost as good as the Lithuanian clinic.
Who? Are you being Mr. Rogers? Oh, who's come to the door?
Who's come to the door?
Let's go see.
Who's this just poked their head through the window? We've got a special guest. It's Iain Whalley, who works for Google. Hello, Iain.
How are you?
Hello. I'm very good. How are you?
I'm absolutely gorgeous. Now tell me, Google.
Who are they?
What do they do?
Oh, I know. I know. They're the company who write that smarty-pants software that can play the Chinese game of Go. Hence, they're really called Go-ogle.
Oh, God.
I have a feeling Graham's been working on that all day.
Yeah. Yeah. I've been with them most of today because we've been at InfoSec and— Yeah.
InfoSec. So InfoSec is the big computer security show in London at Olympia where we were down there today and we met some old friends and Vanja Svajcer.
Out of 10, out of 10, what would you give the show?
What would I give the show? Probably a wide berth, to be honest.
And yet you didn't. And yet you went to it.
Because Vanja was there. Yeah, we wanted to go see a few friends, a few clients, you know.
Well, the thing, it was just very noisy and lots of people sort of shouting at each other.
How weirded out would you be if you walked into an exhibition hall and it was deathly silent?
It would.
You'd just be, oh my God.
It would be a little bit strange.
And they'd all be looking at you, Graham.
Iain, can I just say, I am so glad you're on the show because I needed a bit of it. Yeah, it's quite late here tonight right now for me.
It is. This is—
I needed your energy.
This is Smashing Security late night.
It is. It's the late night edition of Smashing Security. We're recording it actually after midnight. Can you believe? Very well. Here in the UK, it's after midnight at least.
And thank you for joining us, Iain. You're based in New York, is that right?
And thank you for joining us, Iain. You're based in New York, is that right?
That is correct. Greetings from beautiful spring-like New York.
Fantastic. So here's what we do on the show. If you haven't listened before, have you listened before, Iain? Do you even know what we're doing?
No, who are you people? I have listened to the previous few episodes, yes.
So we all pick a story which has caught our eye from the world of computer security in the last week and we have a little chat about it and it's me to go first.
And I was interested in a story which I saw published on The Intercept.
And The Intercept, if you are aware, is a publication edited by, amongst others, Glenn Greenwald, who is Edward Snowden's buddy.
And they look like they'd got a real scoop on their hands because they had been leaked some documents from the NSA. Hmm, where we've heard that story before.
Although these documents were confirming that Russia had been doing some naughty hacking.
In fact, the information which was leaked from the NSA said that Russia had coordinated a cyberattack on at least one US voting software supplier in the days before last November's presidential elections, and also claimed that spear-phishing emails and booby-trapped Word documents had been sent to over 100 election officials.
Although—
And I was interested in a story which I saw published on The Intercept.
And The Intercept, if you are aware, is a publication edited by, amongst others, Glenn Greenwald, who is Edward Snowden's buddy.
And they look like they'd got a real scoop on their hands because they had been leaked some documents from the NSA. Hmm, where we've heard that story before.
Although these documents were confirming that Russia had been doing some naughty hacking.
In fact, the information which was leaked from the NSA said that Russia had coordinated a cyberattack on at least one US voting software supplier in the days before last November's presidential elections, and also claimed that spear-phishing emails and booby-trapped Word documents had been sent to over 100 election officials.
Although—
Booby-trapped Word documents?
Yes. So malicious code embedded inside Microsoft Word documents. So you receive a Word document inside there's some nastiness.
You open the document and, exploiting a vulnerability or something.
You open the document and, exploiting a vulnerability or something.
That feels all very 2000, doesn't it?
Well, it works, you know, fundamentally. That's the thing.
If you use the right social engineering in the sort of frame of the email, as it were, you know, so the thing which encourages you to open it, either in terms of who has sent you the email or the words, you know, inviting you to open the attachment, you may well fall for it.
And this is a standard trick which we see criminals using all the time.
So the NSA think that Russia have been up to it and that the Russian state intelligence are behind these attacks.
Now, of course, this is pretty controversial stuff because there has been so much talk about Russia hacking.
And in fact, in the last week, Vladimir Putin has given an interview saying, it's not us in the Kremlin.
If you use the right social engineering in the sort of frame of the email, as it were, you know, so the thing which encourages you to open it, either in terms of who has sent you the email or the words, you know, inviting you to open the attachment, you may well fall for it.
And this is a standard trick which we see criminals using all the time.
So the NSA think that Russia have been up to it and that the Russian state intelligence are behind these attacks.
Now, of course, this is pretty controversial stuff because there has been so much talk about Russia hacking.
And in fact, in the last week, Vladimir Putin has given an interview saying, it's not us in the Kremlin.
Here we go again.
Wait, Vladimir Putin is from Belgium?
Yeah.
Wow, that's amazing.
Yeah, it's shocking. Graham is really good at this.
He doesn't interfere in foreign elections. And he's saying that.
Wow, he's from everywhere.
Yeah, he says that if there has been any hacking going on from Russia, it's not the work of his boys.
Instead, it is freelance patriotic hackers who have just taken it upon themselves to hack other countries.
So these documents have come out basically suggesting quite strongly, it's Russia who's been doing it. Okay, so that's the first half of the story.
And that's kind of interesting, you know, and obviously that's going to put a bee in someone's bonnet in the White House who doesn't want people to talk about Russia hacking, right?
Instead, it is freelance patriotic hackers who have just taken it upon themselves to hack other countries.
So these documents have come out basically suggesting quite strongly, it's Russia who's been doing it. Okay, so that's the first half of the story.
And that's kind of interesting, you know, and obviously that's going to put a bee in someone's bonnet in the White House who doesn't want people to talk about Russia hacking, right?
That's not a bonnet.
It's a bonnet. So now The Intercept published this story and literally I think within a day or so the authorities in America arrested someone.
They arrested a 25-year-old woman called—
They arrested a 25-year-old woman called—
25.
Sorry, I'm just reminiscing.
Do you remember those days?
Reminiscing quietly.
We're all just remembering being 25.
Yeah.
But Graham's about to get to the headline.
Yeah, I know it. That's my problem.
Yeah.
Go, go find me for that headline.
So they arrested a 25-year-old woman called Reality Winner.
Shut the front door.
No, no. That isn't her hacker name. That isn't her online handle. Reality Winner.
That is not a real name.
It is apparently. Her full name apparently is Reality Leigh Winner, which frankly, it's strange that you'd have such a bland middle name. Reality. Yes, Mr. and Mrs.
Winner decided to call their child Reality.
Winner decided to call their child Reality.
Well, you would, wouldn't you?
It's so obvious now.
And she allegedly has leaked this classified information. She was just like Edward Snowden, actually. She was working as a contractor for the NSA.
She's been working at an NSA facility in Georgia since February.
She's been working at an NSA facility in Georgia since February.
So she's brand new.
Yeah, so she's fairly new. And in the FBI's affidavit—
Affidavit. It is getting late, folks. It's getting late.
In the FBI's affidavit.
He's putting the emphasis on the wrong syllable.
In the FBI's affidavit in support of Winner's arrest warrant, she's accused of gathering. Are you going to do this every time I say something incorrect?
Yes.
She's been accused of gathering, transmitting, or losing defense information. So how did they work out that Reality Winner? Yeah.
I'm guessing she didn't sign her name at the bottom.
They obviously— No, she didn't sign her name.
Hugs and kisses.
So, according to the affidavit, investigators noted that the leaked document was folded or creased.
And that apparently suggested it had been printed and then carried out of a secure place. Whoa, whoa, whoa.
And that apparently suggested it had been printed and then carried out of a secure place. Whoa, whoa, whoa.
So the document was folded or creased.
Yeah.
Okay. And they know that. Okay.
And so they're saying— And that means it's been carried out of a secured place.
Okay. Okay. That's evidence. That's hard fact.
This part of the story doesn't make any sense to me.
It makes a little bit of sense, right? Because what The Intercept did was they printed out PDFs of scans of the documents, right?
If they had been emailed the actual document itself, they presumably would have printed out a new copy or done a nicer screen grab of it or something that.
But instead, they'd obviously got some sort of, at the very least, a PDF scan of a physical document.
And so the investigators, who are obviously jolly clever people, noticed that it's been folded and creased. And they said, well, why is it folded and creased?
If they had been emailed the actual document itself, they presumably would have printed out a new copy or done a nicer screen grab of it or something that.
But instead, they'd obviously got some sort of, at the very least, a PDF scan of a physical document.
And so the investigators, who are obviously jolly clever people, noticed that it's been folded and creased. And they said, well, why is it folded and creased?
Mm-hmm.
Right?
Why didn't they just print out another one if someone had accidentally sat on the document?
Where was Poirot? Maybe it wasn't even needed. Yeah.
Now, Reality Winner, delightfully named, was one of only 6 people to have printed out that document at the NSA, a document, by the way, which was not supposed to be declassified until 2042.
So tut tut.
Furthermore, they looked at her PC and they found that she had been exchanging emails with The Intercept, with the website, which frankly is a bit of a goof, isn't it, to do that from your work computer.
But there's even more than that.
Security expert Robert Graham took a look at the pictures on The Intercept website of these documents, and he says that they contain clues which could have helped whoever was trying to stamp out the leaks.
So tut tut.
Furthermore, they looked at her PC and they found that she had been exchanging emails with The Intercept, with the website, which frankly is a bit of a goof, isn't it, to do that from your work computer.
But there's even more than that.
Security expert Robert Graham took a look at the pictures on The Intercept website of these documents, and he says that they contain clues which could have helped whoever was trying to stamp out the leaks.
So security expert from the FBI?
Errata Security.
Oh, so just a security guy from a company.
Yeah, exactly.
Sorry, not just. I'm sorry, Robert, if you're listening. I'm sure you're a very good security expert.
He's an avid fan of the show. What many people don't realize is that most new printers these days print nearly invisible yellow dots onto the piece of paper.
So it's tiny little yellow dots on the white background. You can't see these really with the naked eye.
You wouldn't even notice it, but that contains little bits of metadata about where the document was printed, the serial number, when it was printed, and so forth, which is obviously sometimes very useful to law enforcement.
And in the case of the NSA, which is logging all the printing jobs sent to its printers, it can say, well, it was this printer. We can see the serial number. We can see the time.
We can work out who's actually printed this out.
So it's tiny little yellow dots on the white background. You can't see these really with the naked eye.
You wouldn't even notice it, but that contains little bits of metadata about where the document was printed, the serial number, when it was printed, and so forth, which is obviously sometimes very useful to law enforcement.
And in the case of the NSA, which is logging all the printing jobs sent to its printers, it can say, well, it was this printer. We can see the serial number. We can see the time.
We can work out who's actually printed this out.
Oh, I don't know how I feel about that, actually. That just feels creepy to me.
Well, I think the moral of the story is take out the yellow printer cartridge.
Do you know what? Do you know what? I don't even think I could get my printer to work if I did that. I think if I even replaced it with a dark printer cartridge, it would complain.
It would complain if it was empty.
It would complain if it was empty.
So you have to print something yellow to run out of yellow ink.
Or just use yellow paper.
Disclaimer for anyone planning to leak anything. I don't know if running out the yellow cartridge will work.
Yes, we're not officially endorsing that method.
Just because Iain works at Google doesn't mean he knows everything.
I'm sure he could search on DuckDuckGo though to find out if he wanted to. She doesn't appear Reality Winner to be a bit of a fan of Donald Trump.
Can we go back to her name for a second? Do you think reality shows existed at the time, 25 years ago, and that's where they got the inspiration for her name?
Oh, do you think this was just an attempt to get her on television?
Because every time you say her name, I always think— I keep waiting for you to say reality winner, program blah blah, Sarah something.
Yeah, but why didn't they call her The Winner? Or something that, something a bit more positive.
Oh, that's just silly.
You're so right. Now, Reality Winner, unfortunately, has probably, you know, blotted her copybook a little bit with the president because she isn't much of a fan.
She has been on social media using hashtags hash NeverMyPresident and said rather rude things about that wall that he wants to build between the United States and Mexico.
She has been on social media using hashtags hash NeverMyPresident and said rather rude things about that wall that he wants to build between the United States and Mexico.
Well, her and lots of, you know, intelligent people had problems with that.
But I suspect Donald Trump isn't going to look too kindly on this data leak either because he's not a big fan of things leaking out, particularly on this topic, right?
Well, he's a bit distracted right now.
He is a bit distracted. He's easily distracted, of course, by things which aren't terribly important.
But in this particular case, you can imagine, you know, there's a potential for the book to be thrown at her for a very long time. We've been joking about this.
And also, there's this serious question of why can't the NSA keep a secret.
But in this particular case, you can imagine, you know, there's a potential for the book to be thrown at her for a very long time. We've been joking about this.
And also, there's this serious question of why can't the NSA keep a secret.
Yeah, we've talked about this a number of times. Yeah, I feel for her. I feel for her. I feel for her with the name. I feel with her with this, you know, being embroiled in this.
I know it's a big step she took. I can't believe she was there for such a short time. It makes me think, and then she had access to such information. That's also very strange to me.
She's been there since February.
I know it's a big step she took. I can't believe she was there for such a short time. It makes me think, and then she had access to such information. That's also very strange to me.
She's been there since February.
Yeah.
Well, remember Edward Snowden was very young as well.
Yeah.
So, yeah.
Young people, eh? Iain.
Wow.
Iain, what have you got for us?
My story is much simpler. It's about a security researcher who found a publicly accessible so-called bucket, in quotes, of data in Amazon Web Services.
We'll come back to what a bucket is in a moment, containing data that appeared to be from some kind of private sector defense contractor. So a bucket is a great name.
We'll come back to what a bucket is in a moment, containing data that appeared to be from some kind of private sector defense contractor. So a bucket is a great name.
Okay.
I think S3 were the people who used it first. You can think of it as like a directory, right? Or a folder. It's a thing that contains files.
Yeah.
And so what this defense contractor had apparently done, uploaded information related to one of their contracts and forgotten to set the ACLs.
So they'd forgotten to protect this data. So anyone who figured out what the bucket name was, presumably by guessing, although I don't know, could just download the files in it.
And there's some confusion about whether or not the files in this particular bucket were top secret or merely highly classified.
So they'd forgotten to protect this data. So anyone who figured out what the bucket name was, presumably by guessing, although I don't know, could just download the files in it.
And there's some confusion about whether or not the files in this particular bucket were top secret or merely highly classified.
I don't even know the difference between those two.
I also don't know the difference. I presume some people think it's important.
Really, really highly classified.
Yes. Yes, secret squirrel.
For your eyes only. Undercover elephant.
That's right. It's for your eyes only. And then the level above that, I think, is Thunderball. I forget.
Anyway, the reason I like this story so much is that it's exactly the same sort of story as we were dealing with 20 years ago. Except 20 years ago, we didn't have the cloud.
We called it FTP servers. And people would upload things to FTP servers and then forget to protect the data.
And so any old random person on the internet could download things that you had left on your FTP server. Protecting that stuff then was pretty simple.
But right now, it's way more complicated with the cloud, because access control there is so much more complicated.
And because we're putting so much of our things in the cloud now, it's very easy for mistakes like this to get made.
Anyway, the reason I like this story so much is that it's exactly the same sort of story as we were dealing with 20 years ago. Except 20 years ago, we didn't have the cloud.
We called it FTP servers. And people would upload things to FTP servers and then forget to protect the data.
And so any old random person on the internet could download things that you had left on your FTP server. Protecting that stuff then was pretty simple.
But right now, it's way more complicated with the cloud, because access control there is so much more complicated.
And because we're putting so much of our things in the cloud now, it's very easy for mistakes like this to get made.
So I'm just wondering how we can deal with cock-ups like this happening all the time?
Should it be that, you know, these places where these buckets are made in the cloud to shove all of your data, should they be forcing you to set passwords or at least have them enabled by default rather than, you know, having publicly accessible folders the default instead?
I mean—
Should it be that, you know, these places where these buckets are made in the cloud to shove all of your data, should they be forcing you to set passwords or at least have them enabled by default rather than, you know, having publicly accessible folders the default instead?
I mean—
So I don't know if we know whether the default for these buckets is publicly accessible. I think these services are very complicated, right?
And Amazon has one and Microsoft has one and Google has one, and all of these companies have these cloud storage services and they all have different ways to configure them and different defaults, and the access control can get very, very complicated.
So it's very easy for me to imagine that they made a mistake with one bucket or they made a mistake on one day with one person doing something silly.
And Amazon has one and Microsoft has one and Google has one, and all of these companies have these cloud storage services and they all have different ways to configure them and different defaults, and the access control can get very, very complicated.
So it's very easy for me to imagine that they made a mistake with one bucket or they made a mistake on one day with one person doing something silly.
It just requires one person to be careless once, doesn't it?
And for data and for a story like this to explode into the headlines and to get lots of attention about, you know, sort of in this case, highly classified intelligence data being leaked out.
And for data and for a story like this to explode into the headlines and to get lots of attention about, you know, sort of in this case, highly classified intelligence data being leaked out.
Yes. And I think that's the key point, right?
There's so much data in the cloud now and so many people are working for companies, all of whom have data in the cloud, that it's very difficult for these companies to kind of keep track of what's up there and who created it and whether the access controls are correct.
There's so much data in the cloud now and so many people are working for companies, all of whom have data in the cloud, that it's very difficult for these companies to kind of keep track of what's up there and who created it and whether the access controls are correct.
Oh, that's bleak. Thanks, Iain.
You're welcome. Here to help.
Carole, please cheer us up.
Well, you know, as I spent the day at InfoSec, I had to have a pretty light story.
I was saying earlier, it's kind of if security was espresso, this is like the mochaccino jobbie with lots of froth. So we are going to talk about a celeb, sweary chef.
Who am I talking about? Gordon Ramsay, who today had reason to celebrate.
I was saying earlier, it's kind of if security was espresso, this is like the mochaccino jobbie with lots of froth. So we are going to talk about a celeb, sweary chef.
Who am I talking about? Gordon Ramsay, who today had reason to celebrate.
Lovely, isn't he?
Oh, he's so nice.
He's such a fucking charmer.
I, you know, I debated whether to call him Gordon Ramsay the whole way through just so you could bleep every single time.
All right, set the explicit tag.
Now, he was celebrating today, or had reason to celebrate, because his father-in-law was sent to the clink for 6 months.
I think we'd all celebrate.
How does Mrs. Ramsay think about this?
Oh, well, just wait. Just wait. You thought this is— Yeah.
So, why would Ramsay jump with glee at the misfortune of a man who he once said about both of them that they were as alike as wings on a plane?
So, why would Ramsay jump with glee at the misfortune of a man who he once said about both of them that they were as alike as wings on a plane?
That's a rather odd description of how alike something is because surely—
Isn't it?
The right wing is fundamentally different from the left wing.
Like mirrored.
Yes. Are you getting political today, Graham? No.
Oh, we haven't even talked about that. It's the elections. This is going out on the day of the elections.
Iain, are you voting? You're over there in America. Are you voting?
I'm not voting, no.
You're not voting?
For goodness' sake, man. It's your duty.
Iain Whalley.
Have you been away that long that you're not allowed to?
No, I think I am allowed to, but— I haven't lived in Britain for so many years that it doesn't feel right.
Oh, well, okay, okay. Anyway, back to Ramsay. Okay. So why would he jump with glee when— with his father-in-law being sent to the clink?
Well, to all tell me, I have to go back to 2008. So, turns out father-in-law is actually the CEO of Ramsay Holdings. And in 2008, they got into financial difficulty.
Of course, that was the time of the financial crisis, but also, there seemed to be quite a deep hole in the financial cash flow, and they were in trouble.
In fact, they were in such big trouble that Ramsay told the Sunday Times that he was forced to sell his Ferrari to help pay debts.
Well, to all tell me, I have to go back to 2008. So, turns out father-in-law is actually the CEO of Ramsay Holdings. And in 2008, they got into financial difficulty.
Of course, that was the time of the financial crisis, but also, there seemed to be quite a deep hole in the financial cash flow, and they were in trouble.
In fact, they were in such big trouble that Ramsay told the Sunday Times that he was forced to sell his Ferrari to help pay debts.
Oh, bless him.
So it was a big deal.
Well, we've all been there.
We have. Well, I haven't. I've never had to sell a Ferrari, so—
I myself am down to only two remaining Ferraris.
Now, anyway, you can imagine things aren't going well. I mean, I'm sure Ramsay is just a teddy bear off screen, right?
But they're fighting like cats and dogs, and eventually the father-in-law, his name is Chris Hutchinson, gets fired, and he doesn't go quietly, and it starts getting really ugly.
We're talking in the press, they're hiring detectives, they have IT specialists, they're suing each other, they're dragging their names through the dirt.
And there's a ton of accusations from Ramsay that the father-in-law is actually stealing money and hacking into his systems. So it turns out he did hack Ramsay's systems.
Publicist Phil Hall sold the private pics stolen from Ramsay's computer to the Daily Mail. Now these were private pics of Ramsay shark fishing. Do you remember this, Graham?
Just think, you're in the UK, you'd remember this. This was after he had publicly denounced the activity.
So he went around saying, and then there was pictures all with him, you know, shark fishing.
But they're fighting like cats and dogs, and eventually the father-in-law, his name is Chris Hutchinson, gets fired, and he doesn't go quietly, and it starts getting really ugly.
We're talking in the press, they're hiring detectives, they have IT specialists, they're suing each other, they're dragging their names through the dirt.
And there's a ton of accusations from Ramsay that the father-in-law is actually stealing money and hacking into his systems. So it turns out he did hack Ramsay's systems.
Publicist Phil Hall sold the private pics stolen from Ramsay's computer to the Daily Mail. Now these were private pics of Ramsay shark fishing. Do you remember this, Graham?
Just think, you're in the UK, you'd remember this. This was after he had publicly denounced the activity.
So he went around saying, and then there was pictures all with him, you know, shark fishing.
So just to be clear, shark fishing is actual shark fishing, right? Not some kind of spearfishing type of attack?
Yes.
I actually had trouble using the word fishing. I kind of think with sharks it should be like hunting. Anyway, so the question is, how did Phil get his hands on the pics?
Right, right.
They were a gift from Hutchinson directly.
So basically Hutchinson, whose sons also worked in the firm, were today found guilty of unauthorized access to computer systems, and he got 6 months in the slammer. Sons each got 4.
And the details of how they hacked are all a bit vague, but apparently they were taking pictures and looking for financial information, all to use during all their suing and trying to get a case together to say, aha, here's some proof that he's done X or done Y.
So basically Hutchinson, whose sons also worked in the firm, were today found guilty of unauthorized access to computer systems, and he got 6 months in the slammer. Sons each got 4.
And the details of how they hacked are all a bit vague, but apparently they were taking pictures and looking for financial information, all to use during all their suing and trying to get a case together to say, aha, here's some proof that he's done X or done Y.
Somehow or another, whether it was with keylogging software or phishing or something like that, or that maybe they guessed the passwords, they broke into Gordon Ramsay's webmail account.
They rifled through his emails on hundreds of occasions and were extracting information and photographs and giving them to the press and using them obviously to their advantage when they were in this dispute with Ramsay.
They rifled through his emails on hundreds of occasions and were extracting information and photographs and giving them to the press and using them obviously to their advantage when they were in this dispute with Ramsay.
Exactly.
And I mean, you know, there is a bit of a thing about using spyware to steal the passwords, but you know, this is not a huge company and it could have just been that they tried to guess the password, or that Ramsay left his machine unlocked.
It could have been anything.
And I mean, you know, there is a bit of a thing about using spyware to steal the passwords, but you know, this is not a huge company and it could have just been that they tried to guess the password, or that Ramsay left his machine unlocked.
It could have been anything.
What are the chances Gordon Ramsay has a 4-letter password?
But you know, this is not Father-in-Law of the Year Award stuff, is it?
This guy was—he's been accused of using the ghost signing machine, you know, wherever I guess Ramsay ghost signs his books, to sign all kinds of legal documents without Ramsay's knowledge.
This guy was—he's been accused of using the ghost signing machine, you know, wherever I guess Ramsay ghost signs his books, to sign all kinds of legal documents without Ramsay's knowledge.
Oh really?
He had a mistress on the books. He had a second secret family.
He's apparently transferred more than a €1 million to a French bank account, et cetera, et cetera, et cetera, et cetera, et cetera.
So yeah, this is very light on the security front, isn't it?
He's apparently transferred more than a €1 million to a French bank account, et cetera, et cetera, et cetera, et cetera, et cetera.
So yeah, this is very light on the security front, isn't it?
Well, no, I think there's an important message here.
First of all, people should go away and listen to our podcast all about securing your webmail account and the various tips we gave you there about how to defend yourself.
First of all, people should go away and listen to our podcast all about securing your webmail account and the various tips we gave you there about how to defend yourself.
And our password show.
Our password show where we talk about how to choose a good, decent password and how to remember your passwords.
But also, I think there's a fundamental thing here, which is it is not cool to hack into other people's webmail accounts, even if they are related to you.
But also, I think there's a fundamental thing here, which is it is not cool to hack into other people's webmail accounts, even if they are related to you.
Actually, it's a criminal offense.
Well, yeah.
Not so much not cool.
This guy has ended up, he's going to prison for 6 months.
Yeah.
Right? So don't do it, folks, because there are serious repercussions.
Just because it might be easy to crack into someone else's email account and to have a snoop around, don't do it.
Because if they take a dislike to you or decide to proceed against you, you could end up in prison.
Just because it might be easy to crack into someone else's email account and to have a snoop around, don't do it.
Because if they take a dislike to you or decide to proceed against you, you could end up in prison.
Yeah, and actually, you make a good point because he is not—the father-in-law is not going to jail because the pictures ended up in the Daily Mail.
It's because he accessed the computer without authorization.
It's because he accessed the computer without authorization.
You know, I also think though that sometimes these tabloid newspapers have got something to answer about these sort of things as well, because they seem so willing to handle stolen material.
Well, you see, in this case, the publicist Phil Hall says he had no idea they were stolen.
Oh, I see.
Right?
So everyone has this kind of grayish.
Yeah.
Grayish.
Did the newspapers pay for the pictures?
I think they paid Phil Hall, but apparently the pictures were a gift from Chris Hutchinson. So he didn't receive direct funds that I could find a trail for that I could validate.
I think it's also worth mentioning this wonderful phrase from the BBC article. The judge described the conspiracy as, quote, unattractive and unedifying.
Yes. And you're like, what crime is edifying? That's what I wondered when I read that.
I'm going to use the phrase unattractive and unedifying in a work context.
Okay, excellent.
I use it every time I think of Gordon Ramsay.
Are you a fan? Are you a fan?
Who, me?
Yeah.
No, no, not really. I think he's sort of a one-trick pony, isn't he?
Is he too masculine for you?
I'm sure he's a very good chef or whatever.
I think he has two tricks. One of them is cooking and the other one is swearing. Can you just shut the fuck up for 30 seconds?
That looks like a dog's dinner.
Fuck yourself. Did you hear my fucking question?
Fuck off.
You're mixing away like a fucking donkey.
Finally, your head's coming outside your fucking— Now sit down, you fucking—
He's a good swearer. I'm a fan of swearing. I think it's a good thing.
He's no Malcolm Tucker.
If we can get a security story involving Malcolm Tucker, then we're doing well.
Okay. Well, look, thank you, Carole. And I think before we go into the new section of the show, it's time to hear from our sponsor. Let's find out who our sponsor is this week.
And thanks once again to IOvation for sponsoring this episode of Smashing Security. Remember, you can visit demos.launchkey.com for your free LaunchKey demo.
Welcome back. And before we sign off today, it is time for the bit of the show where we talk about our picks of the week.
Doesn't have to be security related, could be some funny story, a book we've read.
Doesn't have to be security related, could be some funny story, a book we've read.
Anything we want, actually. Could be anything we want. Yeah.
I will go first, shall I? I'll tell you what I've got in my pick of the week. Pick of the week.
Pick of the week.
Pick of the week.
I'm not saying it.
It's so late here. It actually sounds fun to do.
Go on, Iain, you want to have a go? Pick of the week.
Pick of the week. There you go.
Thanks, Iain.
Wow.
So my pick of the week this week is a smashing little tool called Boxcryptor.
I've been using it for a couple of years, and this is a tool which works alongside your file sharing Dropbox-like syncing service. So chances are—
I've been using it for a couple of years, and this is a tool which works alongside your file sharing Dropbox-like syncing service. So chances are—
Like Google Drive, for example?
Yeah, Google Drive, OneDrive, Dropbox, all of those kind of tools and those are great, you know, those tools work really, really well.
But the one concern that I think all of us sometimes have, especially if we work in this industry, is we're shoving all of these files into the cloud effectively. And how well—
But the one concern that I think all of us sometimes have, especially if we work in this industry, is we're shoving all of these files into the cloud effectively. And how well—
Just like Iain said, yeah.
Yeah. How well are they protected?
Okay, so we've got passwords and maybe we've got two-factor authentication in place as well, but are we preventing the services themselves from reading those documents?
And also, what would happen if someone did manage to get our credentials and log into those accounts and access potentially lots and lots of our files?
Okay, so we've got passwords and maybe we've got two-factor authentication in place as well, but are we preventing the services themselves from reading those documents?
And also, what would happen if someone did manage to get our credentials and log into those accounts and access potentially lots and lots of our files?
Or if, for example, the files had been accidentally left readable.
Yeah, right.
Yeah.
Well, Boxcryptor is a solution for exactly that, because what Boxcryptor does is it invisibly is running in the background, and every file which you put onto your local sharing folder, the thing which is being synced up with the web, all of those files are being encrypted.
And so you have end-to-end encryption.
And those files will then of course be synced in their encrypted form onto your other devices where you also have your Boxcryptor client, which is decoding them completely invisibly as well.
Well, Boxcryptor is a solution for exactly that, because what Boxcryptor does is it invisibly is running in the background, and every file which you put onto your local sharing folder, the thing which is being synced up with the web, all of those files are being encrypted.
And so you have end-to-end encryption.
And those files will then of course be synced in their encrypted form onto your other devices where you also have your Boxcryptor client, which is decoding them completely invisibly as well.
So it doesn't work then, and you're in trouble if you're trying to access your drive from a non-authorized computer.
What will happen is you will be accessing encrypted files and you can even choose to encrypt the file names as well.
Right. Okay. So it's encrypted, but how— and then I download it if I want to see it from a non-OK computer, I need to go get Boxcryptor on it.
You need to go and get the client and you will need to enter your password.
Yeah.
In order to properly decrypt them.
For Boxcryptor, you mean?
And it's really neat. And I think Boxcryptor is free for personal use.
If you just want to use it with one sort of service, just if you only want to use it with Dropbox, if you want to use it with more, then you can pay a little bit of money and there's obviously sort of business versions of it as well.
But it's a great tool. There are other tools which do similar jobs out there.
If you just want to use it with one sort of service, just if you only want to use it with Dropbox, if you want to use it with more, then you can pay a little bit of money and there's obviously sort of business versions of it as well.
But it's a great tool. There are other tools which do similar jobs out there.
I'm gonna have a go at it. I'm gonna have a try with it, actually. Actually, I'm going to play around with it.
I think it's really nice and they seem like a nice company as well.
And how long have you been using this?
Oh, I've been using it for a few years now.
And you're telling me about it now? We talk every week, just saying.
Iain, what's your pick of the week?
Wow, this is awkward.
Not really, it's about every 10 seconds.
Number 9 is another very simple one.
I was traveling recently and whenever I travel I use a feature of Google Maps on my electric cellular telephone that it turns out many people don't seem to know exists, which is not surprising because until recently it was well hidden.
It's the fact that you can download maps, sections of the map, to be used offline.
And this is one of those tips that people who already know this are going, well, duh, obviously you can do that.
I was traveling recently and whenever I travel I use a feature of Google Maps on my electric cellular telephone that it turns out many people don't seem to know exists, which is not surprising because until recently it was well hidden.
It's the fact that you can download maps, sections of the map, to be used offline.
And this is one of those tips that people who already know this are going, well, duh, obviously you can do that.
That.
But people who don't know you can do this are going, wow, that's magic. Because you can select regions of the maps that you want to download and have them offline on your phone.
And then when you go to these countries where you may not have cellular telephone service, you can continue to use the maps just as if you did.
And then when you go to these countries where you may not have cellular telephone service, you can continue to use the maps just as if you did.
Or if you live in an area where there's shit service or blank spots.
Or if you live in an area, yes, where there's terrible service.
And I think modern versions of Google Maps apps, at least on Android, I don't know about iPhone, will automatically download your home area, so the area around where you— where it thinks you live.
And I think modern versions of Google Maps apps, at least on Android, I don't know about iPhone, will automatically download your home area, so the area around where you— where it thinks you live.
Yeah.
So that this always works for you. And driving directions at least work offline, so you can continue to use driving directions.
And that's the coolest little thing, actually. That actually saved me once.
I— it was late at night and I was trying to get home, and I was just— and there was no coverage, and that saved me.
I— it was late at night and I was trying to get home, and I was just— and there was no coverage, and that saved me.
So you can't download them forever. You have to renew them.
So if you're going abroad for a while, you're going to want to make sure that your phone sees Wi-Fi every now and then so it can update the areas.
But it works very well, and I think it's great. And I don't know if Apple Maps has the same feature. I do not own one of those Apple telephones.
So if you're going abroad for a while, you're going to want to make sure that your phone sees Wi-Fi every now and then so it can update the areas.
But it works very well, and I think it's great. And I don't know if Apple Maps has the same feature. I do not own one of those Apple telephones.
God, I knew you'd have to advertise that.
I'm just looking at this. So I'm looking at this right now on an iPhone, since you mentioned it. I didn't know that this facility existed, and it looks really cool.
How big an area can you tell it to download offline?
How big an area can you tell it to download offline?
So there's a limit to the size of an individual area that you can download, right? But nothing prevents you downloading multiple adjacent individual areas, right?
Okay.
So I did have to do this rather because I was visiting several countries, so I did have to do this rather annoying thing where I had to download a series of rectangles that covered the area that I needed.
But you can do that and it works and then it's just transparent.
But you can do that and it works and then it's just transparent.
That's a really good tip, Iain.
Good tip, Iain Whalley.
Thank you very much for that.
Graham, didn't you once, because you used to, I have this vague memory of you dog walking around your place and there not being good coverage and downloading maps and loving that offline map experience.
Graham, didn't you once, because you used to, I have this vague memory of you dog walking around your place and there not being good coverage and downloading maps and loving that offline map experience.
That's correct.
It is? Yeah, that was ages ago.
Yeah, yeah, yeah, yeah.
No, that— and I've forgotten the name of the app which I was using, but basically, yes, it downloaded an entire map onto my phone, and I was able to get a GPS signal, but I wasn't able to get a data signal.
No, that— and I've forgotten the name of the app which I was using, but basically, yes, it downloaded an entire map onto my phone, and I was able to get a GPS signal, but I wasn't able to get a data signal.
Exactly, that was it.
And it was very helpful if you went on a good walk.
I'm sure there are listeners who go hiking and doing things like that, much more adventurous than me, who would know much more about this.
It's definitely worth mentioning that other programs also have the feature, like OpenStreetMap will, I think, let you do this as well.
It's definitely worth mentioning that other programs also have the feature, like OpenStreetMap will, I think, let you do this as well.
Right. Cool. Well, good tip because plenty of people do have Google Maps, of course, and may not realise that that feature exists. So nice one, Iain.
Thank you very much.
Nice plug for Google too.
Yeah, because they need it, let's face it.
That's right.
That's what I was thinking. Okay, my tip, my tip, my tip. So my tip is an article in The Guardian called Trump in Translation.
And this is all about the challenges that translators have with how should I put this, you know, Trump's special turn of phrase, shall we put it.
So, Sue Ruta, professor of interpreting and translation studies at Tokyo University of Foreign Studies— God, that's a mouthful— was interviewed in the piece, and I just wanted to pull out a quote for this she said because it's so fascinating.
Because you have to think about it, how would you translate a lot of the things he says?
And this is all about the challenges that translators have with how should I put this, you know, Trump's special turn of phrase, shall we put it.
So, Sue Ruta, professor of interpreting and translation studies at Tokyo University of Foreign Studies— God, that's a mouthful— was interviewed in the piece, and I just wanted to pull out a quote for this she said because it's so fascinating.
Because you have to think about it, how would you translate a lot of the things he says?
How would you translate them into English sometimes?
Quite. But she says the biggest problem was the occasional absence of logic from Trump's stream of consciousness.
I tell my students that with simultaneous interpretation, the trick— because it's simultaneous, right?
Simultaneous interpretation— the trick is to anticipate the speaker's intention and tell a story, to be slightly ahead of the game.
But when the logic is not clear or a sentence is just left hanging in the air, we have a problem.
We try to grasp the concept and get to the core of the message, but in Trump's case, it's so incoherent. You're interpreting, and then suddenly the sentence stops making sense.
And we risk ending up sounding stupid.
So apparently they're now having to study instead of looking at dictionary words, they have to read all kinds of cultural idiomatic kind of probably Urban Dictionary to try and find the meaning of, you know, certain phrases that he uses.
I tell my students that with simultaneous interpretation, the trick— because it's simultaneous, right?
Simultaneous interpretation— the trick is to anticipate the speaker's intention and tell a story, to be slightly ahead of the game.
But when the logic is not clear or a sentence is just left hanging in the air, we have a problem.
We try to grasp the concept and get to the core of the message, but in Trump's case, it's so incoherent. You're interpreting, and then suddenly the sentence stops making sense.
And we risk ending up sounding stupid.
So apparently they're now having to study instead of looking at dictionary words, they have to read all kinds of cultural idiomatic kind of probably Urban Dictionary to try and find the meaning of, you know, certain phrases that he uses.
He does have an idiosyncratic way of speaking, doesn't he? It is like nothing I've ever encountered before.
Well, yeah.
It is quite extraordinary.
I mean, I'm sure, you know, if he were here— unfortunately, I did contact him, he said he was a bit too busy to come on the show tonight— but I'm sure he would say he's simply smarter than these interpreters and they need to be a little bit brainier if they can't follow what he's saying.
I mean, I'm sure, you know, if he were here— unfortunately, I did contact him, he said he was a bit too busy to come on the show tonight— but I'm sure he would say he's simply smarter than these interpreters and they need to be a little bit brainier if they can't follow what he's saying.
But you think about it, how many people are relying on those translations to understand, you know, the discussion or the argument?
I guess I know what you're saying, not many even people in English are understanding a lot of the arguments, but still, you know, it's a well, at least we have the—
I guess I know what you're saying, not many even people in English are understanding a lot of the arguments, but still, you know, it's a well, at least we have the—
At least we do kind of speak a similar language to Americans. We have a fundamental sort of concept as to what they might be speaking about, and even in his case.
But yes, you're right.
If he was going out and having discussions with, I don't know, the boss of Korea or something like that, or the Taiwanese president, or who knows what, the interpreter's job is really critical, isn't it?
But yes, you're right.
If he was going out and having discussions with, I don't know, the boss of Korea or something like that, or the Taiwanese president, or who knows what, the interpreter's job is really critical, isn't it?
Yeah.
And so how fascinating that they seem to be struggling so much. How did they fare with—
Kofi Annan?
Kofi Annan! I was going to say, how did they fare with Barack Obama? Do we know how they dealt with him?
That must have been a dreamy experience.
We're such liberals, aren't we, on this podcast?
No, he just was a really, really great speaker.
He was actually. I think he was actually, yeah, regardless of the politics, whether you agreed with him or not, I think he was a fine orator. That's true.
And easy on the eyes, just saying.
And he did speak in what I believe the professionals call complete sentences.
Yes, with full stops.
Well, talking of full stops, that just about wraps it up. Thanks for tuning in. Thank you, Iain, for joining us on the show today. We really appreciate it.
Thank you for having me.
And if you enjoyed the show there at home, please tell your friends, let us know what you think, and even perhaps you can spread the word by leaving us a review on LastPass.
And more importantly than spreading the word, make sure you vote. Make sure you vote if you're in the UK.
Oh, yeah.
Pretty important. If you're hearing this later, I hope you voted.
Yeah. Go to www.smashingsecurity.com. You can find an email contact form there, link to our Twitter as well. And until next week, we'll be back with another episode. Toodaloo.
Bye.
Bye!
That's Iain.
Oh, please.
You think the American people would have EVER been told about the depth of Russian hacking (in collusion with the Trump team) without this leak?
What no one has the guts to acknowledge is that there will NEVER be impeachment articles drawn up, let alone even a DOJ indictment against anyone higher than Flynn (who will instantly be given a presidential pardon).
This is the tyranny of one-party rule – just like in Mother Russia. The US is well down the road of fascism, but just like the proverbial boiled frog, the complacent public won't realize until it is too late.
Gee, the unfounded accusations are still flying fast and furious. Can anyone offer one piece of evidence, just one, of "Collusion"? between the Trump campaign and Russia ??? No ?? That's because there is none. Only insinuations and speculation so far. No REAL proof. But the real fascist are the law breakers on the left, conveniently ignored by the MSM. Those who try and squelch free speech. And riot at the least cause to get attention, and destroy properties. Show where the right has ever, I mean ever, acted in such a fashion? You can't, but hypocrites be warned, you will get that police state if you keep it up. England will beat the US there, perhaps even before the EU.
"Trump is writing a new political play book (or perhaps revising an old one) that suggests it's better to lie large, often and unapologetically then ever admit you are wrong. One poll conducted earlier this year found that nearly two-thirds of Trump supporters believe Obama was born outside the United States" (Baltimore Sun, The (MD) 09/19/2016). It is disturbing that Trump's use of Hitler's play book of dishonesty, intolerance, hatred, and fear would work in the new millennium. Haven't we learned anything from history?
I really fell pity for this poor girl; she has been failed by everyone in her life who should have been, but were not, responsible adults. I blame her professors and deans in the colleges she attended who gave her "safe spaces" where she did not learn to hear and digest opposing ideas. I blame big media personalities like Reza Asslan and Kathy Giffin who taught her it's ok to use terms like Piece of S**t about, or symbolically decapitate those with whom you disagree. I blame Pluribus and the NSA for allowing someone to work at the NSA without even checking their social media output. I blame her mother who gave her child the name Reality but failed to instill in her enough sense of reality to realize that there are grave consequences for stealing top secret information from an intelligence agency of a global superpower. I pray the court shows her mercy. Though 25 years old, because of our failures, she's just a child who was handed a loaded gun.
If you want to play the blame game and beat yourself up about "our failures" be my guest, but don't include me. I failed no one. Reality sucks for Reality Winner, but she's not a victim. She's an adult who made choices and any trouble she's in is her own doing.
If you feel so strongly about it, then go to her trial and offer to take responsibility for her actions. If you're not willing to do that, then plaster a band-aid on your bleeding heart and move on……..
This woman was aware of the penalties for treason, she signed multiple documents over the course of her time in the Air Force, and upon taking the contracting job stating that she would protect the information she was being given access to. Instead she made a conscious decision to betray her country. I hope our legal system sends a strong message to this traitor.
Thankfully she was caught before she was able to cause serious damage to the national security. Someone as misguided and ignorant as she is, is highly susceptible to enemy influence and recruitment.
Nonsense. If anything, she worked to protect the country and expose Soviet meddling. If they arrest the whistleblower, democracy is at stake. The people like you who are trying to protect the fact that the Soviets meddled in our great country are either Soviet Bots or the treasonous traitors to America.